On Thu, Mar 29, 2012 at 8:38 AM, John Nagle <[email protected]> wrote: >>> Anything that takes a credit card should have at least "organization >>> validated". >> Can you actually think of a reason for that? > Anonymous online businesses are illegal. > > It's a criminal offense in California to accept a credit card on line > without previously disclosing the actual name and address of the > business. Business and Professions Code, section 17538:
[...] Wow, you mean that someone who puts up a web site in their home jurisdiction is suddenly, utterly, and without fail subject to every other jurisdiction where they didn't set up shop? The judiciary in California has actually rejected that argument. > Ref: > http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=17001-18000&file=17530-17539.6 > "service provider": any natural or legal person providing an information > society service; (by which they mean a web site) Not merely a web site. According to this quoted section, a modem dial-up information service provider is just as liable -- it appears to have intended to target BBSes much more than the Internet. > .... > Member States shall ensure that the service provider shall render easily, > directly and permanently accessible to the recipients of the service and > competent authorities, at least the following information: > (a) the name of the service provider; > (b) the geographic address at which the service provider is established;" > .... > > Ref: > http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000L0031:EN:HTML Cool, it's a statement from a jurisdiction I don't have to worry about. Member states can only ensure things within their own jurisdictions, and US is not subject to EU directives (among other things). > If you can't easily tell who's behind a web site, and it's engaged > in commerce, the site operator is a criminal. If the web site is based somewhere that requires such, and the operator doesn't, then your claim holds. If the web site operator has no nexus in any jurisdiction that requires such, the site operator is not criminal regardless of your assertion. Please go to https://nvsos.gov/ and tell me whether Nevada Secretary of State Ross Miller happens to be a criminal for using a DV certificate. And then also please look at NRS and NAC 720, Nevada's Certification Authority statutes and regulations (under "Licensing Center", then "Digital Signatures") and tell me, is Thawte (based in California) subject to them? > We (as SiteTruth) work to make web site ownership more visible, > as you can see at the "sitetruth.com" site. We encourage the CA > and browser communities to work toward that. Get tough on > anonymous businesses. The law supports you in this. Not in every jurisdiction, sorry. And attempts to prevent things outside of the realm of what you consider 'legitimate' may even cause "restraint of trade" liability. (And attempts to create systems that don't deal with the fact and reality of legitimate information control regimes other than ones you can envision lead to systems that aren't adopted. You're more than empowered to state that your opinion is thus, but please don't malign the legitimate operators of sites legitimately served by DV. > John Nagle > SiteTruth Besides... the browsers aren't the ones who can enforce this, the Payment Card Industry contracts and audits are. They deal with everything related to the laws of the jurisdictions they are formed within, and have much more in the way of legal clout than browsers or CAs do. -Kyle H _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
